Integrating Data Resiliency to QRadar SIEM

You can integrate QRadar® SIEM to detect, analyze, and respond to security threats before they harm business operations. Integrating IBM Storage Defender Data Resiliency Service with QRadar SIEM helps you to improve the coverage of your organization's cybersecurity.

Considerations
  • You can download IBM Storage Defender Extension for QRadar from IBM Security® App Exchange portal. The QRadar extension provides Log Source Type, rules, offenses, and properties for events sent by the IBM Storage Defender service.

    Refer to the link to download QRadar extension from IBM Security App Exchange portal: IBM Security APP Exchange

  • Refer to the link for QRadar extension guide: QRadar Extension User Guide

Procedure:

Complete the following steps to connect Data Resiliency to QRadar.
  1. Login to IBM Storage Defender console.
  2. Click the hamburger menu on the upper-left of the page.
  3. Click Data Resiliency > Integrations.
  4. Click the IBM Security QRadar SIEM.
  5. Click Add connection.
  6. Specify the SIEM host and TCP port for the connection to IBM Storage Defender and the associated connection manager.
    Note: Select a TCP port in the range between 0 to 65535, except for port 5000, which is not allowed.

Wait for few minutes to get the connection added. On successful connection, the status becomes active.

Note: When a connection manager is already associated with a QRadar SIEM host, users are not allowed to use the same connection manager to add another SIEM host. In that case, use a different connection manager.
Note: When a virtual machine does not have an IP address, then the source IP address of an event in QRadar is assigned the IP address of connection manager, which was previously added as a log source. If a virtual machine does not have a hostname associated, the dvc field in the event payload maps to the Name of the virtual machine.

Actions for IBM Storage Defender events

Steps for a potential threat:
  1. Login to IBM Storage Defender console.
  2. On the Data Resiliency home page, click Recovery Groups.
  3. Select the recovery group from which you received the SIEM event.
  4. On the Recovery Group Protection dashboard, complete the following steps:
    1. Select the appropriate recovery point and click Activate recovery plan if required.
    2. Select the clean room profile that you want to use.
    3. Click Done.
    4. Wait for the recovery to complete.
    5. Validate the resources are working as expected and then use the recovery point for production restore.
Steps for a missed heartbeat:
  1. Login to IBM Storage Defender console.
  2. On the Data Resiliency home page, click Recovery Groups.
  3. Select the recovery group from which you received the SIEM event.
  4. Go to Active threat tab. View the virtual machine hostname for the Missed heartbeat event in the Timeline section.
  5. Login to the virtual machine that has the missed heartbeat event, and run the following command to verify that the sensor is working properly:
    systemctl status defender-sensor

    A sample output of the command is shown as follows:

    defender-sensor.service - IBM Storage Defender Sensor service
     Loaded: loaded (/usr/lib/systemd/system/defender-sensor.service; enabled; preset: disabled)
     Active: active (running) since Wed 2024-05-15 17:42:44 MST; 3h 47min ago
   Main PID: 1326 (defender-sensor)
      Tasks: 3 (limit: 48928)
     Memory: 291.9M
        CPU: 50.419s
     CGroup: /system.slice/defender-sensor.service
             ├─1326 /usr/bin/bash /usr/bin/defender-sensor
             └─1327 /opt/ibm/defender/venv/bin/python3 -m espial.monitor

May 15 17:42:44 skrill-vm7.storage.tucson.ibm.com systemd[1]: Starting IBM Storage Defender Sensor service...
May 15 17:42:44 skrill-vm7.storage.tucson.ibm.com systemd[1]: Started IBM Storage Defender Sensor service.
May 15 17:42:50 skrill-vm7.storage.tucson.ibm.com defender-sensor[1327]: 2024-05-15 17:42:50,098 INFO: Starting version 2.0.4-1713905626
May 15 17:42:50 skrill-vm7.storage.tucson.ibm.com defender-sensor[1327]: 2024-05-15 17:42:50,142 INFO: Config file: /etc/opt/ibm/defender/defender-sensor.conf
May 15 17:42:50 skrill-vm7.storage.tucson.ibm.com defender-sensor[1327]: 2024-05-15 17:42:50,533 INFO: Configured file systems: ['all']
May 15 17:42:50 skrill-vm7.storage.tucson.ibm.com defender-sensor[1327]: 2024-05-15 17:42:50,534 INFO: Discovered file systems: ['/', '/boot', '/boot/efi', '/data', '/home>
May 15 17:42:50 skrill-vm7.storage.tucson.ibm.com defender-sensor[1327]: 2024-05-15 17:42:50,534 INFO: File systems to monitor: ['/', '/boot', '/boot/efi', '/data', '/home>
May 15 17:42:50 skrill-vm7.storage.tucson.ibm.com defender-sensor[1327]: 2024-05-15 17:42:50,535 INFO: Monitoring file systems: ['/', '/boot', '/boot/efi', '/data', '/home>
May 15 17:42:51 skrill-vm7.storage.tucson.ibm.com defender-sensor[1327]: 2024-05-15 17:42:51,093 INFO: Authenticating to server
May 15 17:42:52 skrill-vm7.storage.tucson.ibm.com defender-sensor[1327]: 2024-05-15 17:42:52,521 INFO: Initialization complete